Techniques for permitting access across a context barrier on a small footprint device using an entry point object

ABSTRACT

A small footprint device can securely run multiple programs from unrelated vendors by the inclusion of a context barrier isolating the execution of the programs. The context barrier performs security checks to see that principal and object are within the same namespace or memory space and to see that a requested action is appropriate for an object to be operated upon. Each program or set of programs runs in a separate context. Access from one program to another program across the context barrier can be achieved under controlled circumstances by using an entry point object. The entry point object can either perform accesses across the context barrier on behalf of a requesting program or can pass the request to the program to be accessed and switch contexts to the program to be accessed.

CROSS-REFERENCES TO RELATED APPLICATIONS

This application claims priority based on parent application Ser. No.09/235,157, now U.S. Pat. No. 6,633,984, entitled “TECHNIQUES FORPERMITTING ACCESS ACROSS A CONTEXT BARRIER ON A SMALL FOOTPRINT DEVICEUSING AN ENTRY POINT OBJECT” by Joshua Susser, Mitchel B. Butler andAndy Streich, filed on Jan. 22, 1999 commonly assigned herewith;

This application is related to:

U.S. patent Ser. No. 10/664,216, entitled “Virtual Machine with SecurelyDistributed Bytecode Verification” by inventors Moshe Levy and JudySchwabe, filed on Sep. 16, 2003, which is a continuation of U.S. patentSer. No. 10/283,305, now U. S. Pat. No. 6,640,279, entitled “VirtualMachine with Securely Distributed Bytecode Verification” by inventorsMoshe Levy and Judy Schwabe, filed on Oct. 30, 2002, which is acontinuation of U. S. patent Ser. No. 09/547,225, now U. S. Pat. No.6,546,454, entitled “Virtual Machine with Securely Distributed BytecodeVerification” by inventors Moshe Levy and Judy Schwabe, filed on Apr.11, 2000, which is a continuation of parent application Ser. No.08/839,621, now U. S. Pat. No. 6,092,147, filed Apr. 15, 1997 entitled“Virtual Machine with Securely Distributed Bytecode Verification” byinventors Moshe Levy and Judy Schwabe, which application is incorporatedherein by reference in its entirety;

U.S. patent application Ser. No. 09/235,158, filed Jan. 22, 1999,entitled “TECHNIQUES FOR IMPLEMENTING SECURITY ON A SMALL FOOTPRINTDEVICE USING CONTEXT BARRIER”, in the name of inventors Joshua Susser,Mitchel B. Butler, and Andy Streich, which issued as U.S. Pat. No.6,823,520 on Nov. 23, 2004, and which application is incorporated hereinby reference in its entirety;

U.S. patent application Ser. No. 09/235,155, filed Jan. 22, 1999,entitled “TECHNIQUES FOR PERMITTING ACCESS ACROSS A CONTEXT BARRIER ON ASMALL FOOTPRINT DEVICE USING RUN TIME ENVIRONMENT PRIVILEGES”, in thename of inventors Joshua Susser, Mitchel B. Butler, and Andy Streich,which issued as U.S. Pat. No. 6,922,835 on Jul. 26, 2005, and whichapplication is incorporated herein by reference in its entirety;

U.S. patent application Ser. No. 09/235,156, filed Jan. 22, 1999,entitled “TECHNIQUES FOR PERMITTING ACCESS ACROSS A CONTEXT BARRIER IN ASMALL FOOTPRINT DEVICE USING GLOBAL DATA STRUCTURES”, in the name ofinventors Joshua Susser, Mitchel B. Butler, and Andy Streich, whichissued as U.S. Pat. No. 6,907,608 on Jun. 14, 2005, and whichapplication is incorporated herein by reference in its entirety; and

U.S. patent application Ser. No. 09/235,159, filed January 22, 1999,entitled “TECHNIQUES FOR PERMITTING ACCESS ACROSS A CONTEXT BARRIER IN ASMALL FOOTPRINT DEVICE USING SHARED OBJECT INTERFACES”, in the name ofinventors Joshua Susser, Mitchel B. Butler, and Andy Streich, whichissued as U.S. Pat. No. 7,093,122 on Aug. 15, 2006, and whichapplication is incorporated herein by reference in its entirety.

BACKGROUND OF THE INVENTION

1. Field of the Invention

The invention relates to computer security and more particularly totechniques for implementing a security on small footprint devices, suchas smart cards.

2. Description of Related Art

A number of object oriented programming languages are well known in theart. Examples of these include the C++ language and the Smalltalklanguage.

Another such object oriented language is the JAVA™ language. Thislanguage is described in the book Java™ Language Specification, by JamesGosling et al. and published by Addison-Wesley. This work isincorporated herein by reference in its entirety. The JAVA™ language isparticularly well suited to run on a Java™ Virtual Machine. Such amachine is described in the book Java™ Virtual Machine Specification, byTim Lindholm and Frank Yellin which is also published by Addison-Wesleyand which is also incorporated herein by reference in its entirety.

A number of small footprint devices are also well known in the art.These include smart cards, cellular telephones, and various other smallor miniature devices.

Smart cards are similar in size and shape to a credit card but contain,typically, data processing capabilities within the card (e.g. aprocessor or logic performing processing functions) and a set ofcontacts through which programs, data and other communications with thesmart card may be achieved. Typically, the set of contacts includes apower source connection and a return as well as a clock input, a resetinput and a data port through which data communications can be achieved.

Information can be written to a smart card and retrieved from a smartcard using a card acceptance device. A card acceptance device istypically a peripheral attached to a host computer and contains a cardport, such as a slot, in to which a smart card can be inserted. Onceinserted, contacts or brushes from a connector press against the surfaceconnection area on the smart card to provide power and to permitcommunications with the processor and memory typically found on a smartcard.

Smart cards and card acceptance devices (CADs) are the subject ofextensive standardization efforts, e.g. ISO 7816.

The use of firewalls to separate authorized from unauthorized users iswell known in the network environment. For example, such a firewall isdisclosed in U.S. patent application Ser. No. 09/203,719, filed Dec. 1,1998 and entitled “AUTHENTICATED FIREWALL TUNNELLING FRAMEWORK” in thename of inventor David Brownell, which application is incorporatedherein by reference in its entirety.

A subset of the full Java™ platform capabilities has been defined forsmall footprint devices, such as smart cards. This subset is called theJava Card™ platform. The uses of the Java Card™ platform are describedin the following publications.

-   -   JAVA CARD™ 2.0—LANGUAGE SUBSET AND VIRTUAL MACHINE        SPECIFICATION;    -   JAVA CARD™ 2.1—APPLICATION PROGRAMMING INTERFACES;    -   JAVA CARD™ 2.0—PROGRAMMING CONCEPTS;    -   JAVA CARD™ APPLET DEVELOPER'S GUIDE.

These publications are incorporated herein by reference in theirentirety.

A working draft of ISO 7816—Part 11 has been circulated for comment.That draft specifies standards for permitting separate executioncontexts to operate on a smart card. A copy of that working draft ishereby incorporated by reference in its entirety.

The notion of an execution context is well known in computer science.Generally speaking, the use of multiple execution contexts in acomputing environment provides a way to separate or isolate differentprogram modules or processes from one another, so that each can operatewithout undue interference from the others. Interactions—if any—betweendifferent contexts are deliberate rather than accidental, and arecarefully controlled so as to preserve the integrity of each context. Anexample of multiple contexts is seen in larger hardware devices, such asmainframes, where a plurality of virtual machines may be defined, eachsuch virtual machine having its own execution context. Another exampleis seen in U.S. Pat. No. 5,802,519 in the name of inventor De Jong,which describes the use of multiple execution contexts on a smart card.It will be appreciated by those of skill in the art that a computingenvironment which provides multiple execution contexts also needs toprovide a mechanism for associating any given executing code with itscorresponding context.

Also well known is the notion of a current context. Certain computingenvironments that support multiple contexts will, at any given time,treat one context in particular as an active focus of computation. Thecontext can be referred to as the “current context.” When the currentcontext changes, so that some other context becomes the current context,a “context switch” is said to occur. As will be appreciated by those ofskill in the art, these computing environments provide mechanisms forkeeping track of which context is the current one and for facilitatingcontext switching.

In the prior art, in the world of small footprint devices, andparticularly in the world of smart cards, there was no inter-operationbetween contexts operating on the small footprint devices. Each contextoperated totally separately and could operate or malfunction within itscontext space without affecting other applications or processes in adifferent context.

One layer of security protection utilized by the Java™ platform iscommonly referred to as a sandbox model. Untrusted code is placed into a“sandbox” where it can “play” safely without doing any damage to the“real world” or full Java™ environment. In such an environment, Java™applets don't communicate, but each has its own name space.

Some smart card operating systems don't permit execution contexts tocommunicate directly, but do permit communications through an operatingsystem, or through a server.

The Problems

A number of problems exist when trying to place computer programs andother information on a small footprint device. One of the compellingproblems is the existence of very limited memory space. This requiresoften extraordinary efforts to provide needed functionality within thememory space.

A second problem associated with small footprint devices is the factthat different small footprint device manufacturers can utilizedifferent operating systems. As a result, applications developed for oneoperating system are not necessarily portable to small footprint devicesmanufactured by a different manufacturer.

If programs from more than one source of programs (manufacturer orvendor) are to be applied to a single small footprint device, securitybecomes a factor as one attempts to avoid corruption of existingprograms and data when a new program is loaded on to the small footprintdevice. The same concern exists when one wishes to prevent a hacker or amalicious person from accessing programs and data.

It is clear that small footprint devices such as smart cards don't havethe resources necessary to implement separate virtual machines.Nevertheless, it is desirable to maintain strict security betweenseparate execution contexts.

In the past, security was provided by loading only applications from thesame source or from a known trusted source onto a smart card or othersmall footprint device.

Accordingly, it would be desirable to allow object-oriented interactionbetween selected execution contexts only in safe ways via fast efficientpeer to peer communications which do not impose undue burdens on theprogrammer but facilitate dynamic loading of applets written atdifferent times by untrusted sources.

SUMMARY OF THE INVENTION

The invention is directed to providing a context barrier (sometimesreferred to as a firewall) for providing separation and isolation of onecontext from another and to provide controlled access across the barrierwhen that is needed.

In accordance with the invention, two execution contexts, e.g. eachcontaining one or more applets, running in the same logical (i.e.,virtual or real) machine, protected from each other, can shareinformation in a controlled, secure way, using language mechanisms, suchas object-oriented language mechanisms. Security can be, for example,object by object. Thus, a method in a first execution context can accessa first object A in a second execution context, but not a second objectB in the second execution context on a selective basis.

In accordance with one exemplary embodiment, an enhanced Java™ VirtualMachine (VM) provides certain run-time checks of attempted access acrossexecution contexts in the VM. Checks can be automatic by the VM or codedby the programmer with support from the VM. This can be done usinglanguage-level communication mechanisms. In this way, one can expressobject access across execution contexts in the same way as other objectaccesses using the language are made. These run-time checks provide asecond dimension of defense/security beyond that which the Java™language and platform already provide.

These mechanisms provide protection against, e.g., security holes due toprogramming bugs (such as declaring a datum “public” (global) when itshouldn't be accessible to all contexts). They also allow fine-graincontrol of sharing (such as selection of objects to share and applets toshare to).

The invention is also directed to computer program products and carrierwaves related to the other aspects of the invention.

The foregoing and other features, aspects and advantages of the presentinvention will become more apparent from the following detaileddescription of the present invention when taken in conjunction with theaccompanying drawings.

BRIEF DESCRIPTION OF THE DRAWINGS

The features and advantages of the present invention will be apparentfrom the following description in which:

FIG. 1 is an illustration of a computer equipped with a card acceptancedevice and of a smart card for use with the card acceptance device.

FIG. 2 is an illustration of a computer equipped with a card acceptancedevice connected to a network.

FIG. 3 is an exemplary hardware architecture of a small footprintdevice, such as a smart card, of the prior art.

FIG. 4 illustrates objects being accessed by principals as done in theprior art.

FIG. 5 is an exemplary security model which can be used in explainingthe various embodiments of the invention.

FIG. 6 is a block diagram showing separation of execution contexts by afirewall or context barrier in accordance with one aspect of theinvention.

FIG. 7 is a representation of a software architecture useful in carryingout the invention.

FIG. 8 is a flow chart of a security enforcement process implementing afirewall in accordance with one aspect of the invention.

FIG. 9 is a block diagram showing object access across a firewall inaccordance with one aspect of the invention.

FIG. 10 is a block diagram showing cascaded object access across afirewall.

FIG. 11 is a flow chart of a process for permitting access by aprincipal in one context across a firewall into another context.

FIG. 12 is a block diagram illustrating the use of an entry point objectto permit access across a firewall.

FIG. 13 is a block diagram illustrating the use of a global datastructure such as an array for access across a firewall.

FIG. 14 is a block diagram illustrating the use of a supercontext topermit access across a firewall.

FIG. 15 is a block diagram illustrating the use of shareable interfaceobjects to permit access across a firewall.

FIG. 16 is a flow chart of a security enforcement process permittingaccess across a firewall.

FIG. 17 is the f low chart of FIG. 16 showing details of block 1620.

FIG. 18 is a flow chart showing an exemplary implementation of block1629 of FIG. 17.

NOTATIONS AND NOMENCLATURE

The detailed descriptions which follow may be presented in terms ofprogram procedures executed on a computer or network of computers. Theseprocedural descriptions and representations are the means used by thoseskilled in the art to most effectively convey the substance of theirwork to others skilled in the art.

A procedure is here, and generally, conceived to be a self-consistentsequence of steps leading to a desired result. These steps are thoserequiring physical manipulations of physical quantities. Usually, thoughnot necessarily, these quantities take the form of electrical ormagnetic signals capable of being stored, transferred, combined,compared, and otherwise manipulated. It proves convenient at times,principally for reasons of common usage, to refer to these signals asbits, values, elements, symbols, characters, terms, numbers, or thelike. It should be noted, however, that all of these and similar termsare to be associated with the appropriate physical quantities and aremerely convenient labels applied to these quantities.

Further, the manipulations performed are often referred to in terms,such as adding or comparing, which are commonly associated with mentaloperations performed by a human operator. No such capability of a humanoperator is necessary, or desirable in most cases, in any of theoperations described herein which form part of the present invention;the operations are machine operations. Useful machines for performingthe operation of the present invention include general purpose digitalcomputers or other computational devices.

The present invention also relates to apparatus for performing theseoperations. This apparatus may be specially constructed for the requiredpurpose or it may comprise a general purpose computer as selectivelyactivated or reconfigured by a computer program stored in the computer.The procedures presented herein are not inherently related to aparticular computer or other apparatus. Various general purpose machinesmay be used with programs written in accordance with the teachingsherein, or it may prove more convenient to construct more specializedapparatus to perform the required method steps. The required structurefor a variety of these machines will appear from the description given.

DETAILED DESCRIPTION

Attached as an Appendix to this specification is an unpublished draft ofa document entitled JAVA CARD RUNTIME ENVIRONMENT 2.1 SPECIFICATION.This draft document, which provides further detailed description ofspecific embodiments of the invention, is incorporated in its entiretyas an integral part of the present specification.

Although the inventive techniques are described hereinafter in thecontext of a smart card example, the example is merely illustrative andshouldn't limit the scope of the invention.

FIG. 1 is an illustration of a computer 120 equipped with a cardacceptance device 110 and a smart card 100 for use with the cardacceptance device 110. In operation, the smart card 100 is inserted intocard acceptance device 110 and power and data connections appliedthrough a set of contacts 105 accessible at the surface of the smartcard 100. When the card is inserted, mating contacts from the cardacceptance device 110 interconnect with the surface contacts 105 topower-up the card and permit communications with the onboard processorand memory storage.

FIG. 2 is an illustration of a computer equipped with a card acceptancedevice, such as 120 in FIG. 1, connected to a network 200. Alsoconnected to a network are a plurality of other computing devices, suchas server 210. It is possible to load data and software onto a smartcard over the network 200 using card equipped device 120. Downloads ofthis nature can include applets or other programs to be loaded onto asmart card as well as digital cash and other information used inaccordance with a variety of electronic commerce and other applications.The instructions and data used to control processing elements of thecard acceptance device and of the smart card may be stored in volatileor non-volatile memory or may be received directly over a communicationslink, e.g., as a carrier wave containing the instructions and/or data.Further, for example, the network can be a LAN or a WAN such as theInternet or other network.

FIG. 3 is an exemplary hardware architecture of a small footprintdevice, such as a smart card, of the prior art. As shown in FIG. 3, aprocessor 300 interconnects with primary storage 310 which may includeread only memory 315 and/or random access memory 316. The processor alsoconnects with a secondary storage 320 such as EEPROM and with aninput/output 330, such as a serial port. One can see the small footprintdevices of this nature can be very simple.

FIG. 4 illustrates objects being accessed by principals as done in theprior art. As shown in FIG. 4, physical device 400, such as the smallfootprint device may have contained within it one or more processingmachines (virtual or physical) which are running an execution context420. The execution context may be, for example, a context associatedwith a particular applet. One or more principals 430 (e.g., applets orapplications) in the execution context may seek to access other objectswithin the execution context. As long as the access occurs within theexecution context, the accesses will be permitted and everything willfunction normally.

FIG. 5 is an exemplary security model which can be used in explainingthe various embodiments of the invention. It is just one of many modelswhich might be utilized but is a convenient model for this purpose. Inthis model, a principal (sometimes called entity) 500 proposes to takean action 510 on an object, such as object 520. Security checks may beimposed on the principal, on the object, and/or on the action proposedto be taken.

In FIG. 5, two types of objects are shown on which action may be takenby a principal. These include data objects, (e.g. data1 and data2 (520,520′)) and entity 530. A principal may operate or attempt to operate onany of these objects.

While data is passive, an entity 530 is active. The diagram line fromPrincipal to an active entity is also labeled “action,” but this couldbe a more sophisticated and arbitrarily complex action, such as making afunction or method call or sending a message as compared with action ona data object. As with data, a security check enforced by the operatingsystem may use the identity of the principal, the identity of theentity, and/or the type of action. Furthermore, the entity, beingactive, can perform its own additional security checks. These can be asarbitrarily complex as one desires, and can make use of the identity ofthe Principal, the identity of the entity itself, the action, and/or anyother information that is available.

In an object-oriented system (such as the Java Card™ platform) “objects”are typically a combination of data and entity. When a Principal triesto access a field of an object, this is a data access—a fairly simpleaction protected by a fairly simple security check. When a Principaltries to access a method of an object, this is an entity access, whichcan be arbitrarily complex both in action and in security check.

FIG. 6 is a block diagram showing separation of execution contexts by afirewall or context barrier in accordance with one aspect of theinvention. The physical device 400 and the machine 410 correspond to thesame items shown in FIG. 4. An execution context 420 shows one principal430 attempting to access object 440 within the context. This accesswould normally succeed. However, execution context 420 also shows aprincipal 630 attempting to access object 640 of execution context 620,across a context barrier 600. Normally, this access would be prohibitedas indicated by the X 636 where the action 635 crosses the contextbarrier 600.

FIG. 7 is a representation of a software architecture useful in carryingout the invention. This software architecture is shown as a run timeenvironment 700. An operating system 710 for the small footprint deviceis commonly used. A virtual machine 720, in an exemplary embodiment ofthe invention, is implemented over the operating system. The virtualmachine could be a Java Card™ virtual machine or other virtual machine

The capabilities of a standard virtual machine can be expanded toprovide the additional functionality described herein or thefunctionality can be provided as separate modules. The virtual machine720 may include an interpreter or native implementation 730 whichprovides access to a run time system 740. The run time system includesobject system 750 for managing the objects of an object orientedimplementation. Three contexts, 760, 770 and 780, are shown. Eachcontext is separated from the other by a context barrier (sometimesreferred to as a firewall) between the execution contexts. Context 760is, in one specific embodiment, a supercontext. That is, context 760 hasprivileges and capabilities not available to subordinate contexts 770and 780, potentially including privileges to create entry point objectsor global data structures, and to access objects in subordinate contexts770 and 780.

Every object is associated with one particular context. That context issaid to own each object that is associated with it. The runtime system740 provides a means for uniquely identifying contexts, and a means forspecifying and identifying the currently executing context. The objectsystem 750 provides a mechanism for associating objects with theirowning contexts. For example, the runtime 740 can identify contexts witha unique name, and correspondingly the object system 750 can associateobjects with that context by recording the context's name in theobject's header. Information in the object's header cannot be accessedby programs written in the object-oriented language, but is onlyavailable to the virtual machine 720 itself. Alternately, the runtimesystem 740 can identify contexts by dividing the memory space intoseparate regions, each for a particular context, and correspondingly theobject system 750 can associate objects with that context by allocatingthe object's storage in that context's memory space.

FIG. 8 is a flow chart of a security enforcement process implementing acontext barrier in accordance with one aspect of the invention. When aprincipal invokes an action on an object (800) a check is made todetermine whether the object is within the context of the principal(810). If it is not, the action is disallowed (840). Otherwise, theaction is permitted (830). This is the simplest form of context barrieror firewall. In one specific embodiment the action is disallowed (840)by throwing a security exception if the object is outside of thenamespace or the memory space of the context requesting access.

FIG. 9 is a block diagram showing object access across a firewall inaccordance with one aspect of the invention. FIG. 9 is substantiallysimilar to FIG. 6. However, FIG. 9 also shows principal 900 seeking toaccess object 910 in order to perform action 905 on the object 910.According to the invention, rather than having the access blocked by thefirewall 600, in the way that action 635 is blocked, action 905 ispermitted to occur across the firewall through access point 920 so thatprincipal 900 can perform action 905 on object 910 notwithstanding thefact that the principal and the object are in different executioncontexts. The mechanisms behind access point 920 are described belowwith reference to FIGS. 12-18. Note that access point 920 can coexistwith obstructed accesses such as X 636. Thus access point 920 providesfine-grain control of sharing (object by object security) across contextbarrier 600.

When object access 900 is initiated, the current context setting iscontext 420. If the object 910 is a data object, the action 905 is asimple data access, and no code is executed in the second context 620.If the object 910 is an entity object, and the action 905 results inthat object's code being executed, that code is executed in the secondcontext 620. To execute the code of object 910 in the correct context620, the virtual machine 410 performs a context switch. The contextswitch changes the current context setting to be context 620, and theprevious value of the current context setting is stored so that it canbe restored later. From that point on code will execute in the newcurrent context. When the action 905 completes, control is returned tothe point following access 900. During the return, the virtual machine410 must restore the value of the current context setting to itsprevious value.

FIG. 10 is a block diagram showing cascaded object accesses across afirewall. FIG. 10 shows three execution contexts, 1000, 1010 and 1020.Principal 1030 in execution context 1 seeks to invoke an action 1035 onobject 1050 in execution context 2 and does so through access point 1070in context barrier 600. Object 1050 in execution context 2 has an objectaccess 1040 which seeks to perform an action 1045 on the object 1060 inexecution context 3. It achieves this by using access point 1080 incontext barrier 600′ separating execution contexts 2 and 3. Object 1050in execution context 2 also has another object access 1090 which invokesan action 1095 on an object 1099 in the same execution context, that is,in execution context 2. Both actions 1035 and 1045 result in contextswitches as described in the explanation of FIG. 9. But as action 1095does not cross the context barrier, a context switch is not required forits execution, and therefore does not occur.

FIG. 11 is a flow chart of a process for permitting access by aprincipal in one context across a firewall into another context. Thereare essentially three steps to this process. In execution context 2, anobject to be accessed is created and designated as shared (1100). Inexecution context 1, the principal obtains a reference to the object inexecution context 2 (1110). The principal in execution context 1 theninvokes an action upon the object designated as shared in context 2(1120).

With respect to identifying or designating a created object as shareableas discussed in item 1100 of FIG. 11, this can be done, in accordancewith a specific embodiment of the invention, by including a shareableattribute in the header of an object's representation. Information in anobject's header cannot be accessed by programs written in theobject-oriented language, but is only available to the VM itself.

Obtaining a reference to an object in another context is a special caseof accessing an object in another context. A mechanism that providesaccess to an object in another context can make other objects availablealso. For instance, invoking a method on an object in another contextmay return a reference to a second object in a different context. Anadditional mechanism is required to allow an initial reference to anobject in a different context to be obtained. In a specific embodiment,references to certain well-known entry point objects can be obtainedusing a public API. Once the initial reference to an object in adifferent context is obtained, further references can be obtained fromthat object, and so on.

There are four general approaches to obtaining information across acontext barrier in accordance with the invention. These approaches canbe utilized individually or in combination in order to access an objectacross a context barrier or to obtain a reference of an object to beaccessed across a context barrier (1110). These approaches are describedin FIGS. 12-18.

FIG. 12 is a block diagram illustrating the use of entry point objectsto permit access across a context barrier. As shown in FIG. 12, someobject 1200 in context 770 (context 1) desires access to information insupercontext 760. In the specific embodiment, a supercontext 760contains at least one entry point object 1210. The entry point object1210 can be published as part of a public API, or can be made availableindirectly through a published API (e.g., in accordance with themechanisms described previously with reference to FIG. 11), so that eachcontext subordinate to the supercontext may communicate with the entrypoint object of the supercontext. (It will be appreciated that in otherembodiments, entry point objects may be housed by a context other thanthe supercontext.)

FIG. 13 is a block diagram illustrating the use of global datastructures to permit access across a firewall. In this approach,supercontext 760 creates a global data structure such as a global array.In the specific embodiment supercontext 760 is the only contextpermitted to create such a global data structure. (It will beappreciated that in other embodiments, global data may be housed by acontext other than the supercontext.) By virtue of its global status,each of the contexts 770 and 780 may read and write to the global datastructure. Thus, information written into the global data structure byone context can be read by another context. For example, this mechanismcan be used to pass binary data or references to objects betweencontexts.

FIG. 14 is a block diagram illustrating the use of supercontextprivileges to permit access across a context barrier. In FIG. 14, anobject in supercontext 760 seeks access to context 780 across thecontext barrier separating the two. Supercontext 760 can invoke any ofthe methods of context 780 and can access any of the data containedwithin context 780, by virtue of the privileges associated with thesupercontext.

FIG. 15 is a block diagram illustrating the use of shareable interfaceobjects to permit access across a firewall. A shareable interfacedefines a set of shareable interface methods. A shareable interfaceobject is an object that implements at least the set of methods definedin a shareable interface. In FIG. 15, object 1210 in context 2 (780) isa shareable interface object. An object access 1200 in another context770 can invoke any of the shareable interface methods on the object 1210if the principal of the object access 1200 is authorized to do so by theobject 1210 itself. This authorization is further discussed withreference to FIG. 18 below.

It will be appreciated that a virtual machine consistent with theinvention provides functionality beyond that of earlier virtualmachines, such as the virtual machine described in the Java™ VirtualMachine Specification. In particular, consistently with the invention,the virtual machine provides functionality to implement or to facilitatea security enforcement process that permits access across a firewall.This process is described next with reference to FIGS. 16-18. Note thatit is applicable to any approach for providing access across thefirewall, including but not limited to the four approaches describedwith reference to FIGS. 12-15 above.

FIG. 16 is a flow chart of a security enforcement process permittingaccess across a firewall. When a principal attempts to invoke action onan object 1600, a check is made to determine if the object is within thecontext of the principal (1610). If it is, (1610-Y), the action ispermitted (1630). If it is not, (1610-N), a check is made to see if theaction by the principal is permitted on the object (1620). If it is,(1620-Y), the action is permitted (1630). If it is not, (1620-N), theaction is disallowed. In the specific embodiment a security exception isthrown (1640).

FIG. 17 is the flow chart of FIG. 16 showing further details of block1620. If the object is not within the context of the principal (1610-N),a plurality of tests, 1621, 1622, 1623 . . . 1629 are undertaken to seeif the action by the principal is permitted on the object. These testscan be done by the virtual machine alone or by the virtual machine plusthe object, in a virtual machine object oriented implementation. If anyof the tests results in a pass, the action is permitted (1630). However,if all tests result in a negative determination (162X—No), the actionwill be disallowed. In a specific embodiment, a security exception willbe thrown (1640). These tests relate to the permitted access discussedin conjunction with FIGS. 12-15.

FIG. 18 is a flow chart showing an exemplary implementation of block1629 of FIG. 17 for use with access method described in FIG. 15. In atest, such as 829 or 1629, a virtual machine checks if the object is ashared object 1810. If it is not (1810—No), the test will fail. However,if it is (1810—Yes), the virtual machine will invoke the method A onobject O (1820). If the method A on object O determines that theprincipal is authorized (1830), the test will be passed (1840) andaccess permitted. Otherwise, the test will fail (1850). This allows theauthorization text to be programmed into the code of the object itself.

Although the invention has been illustrated with respect to a smart cardimplementation, the invention applies to other devices with a smallfootprint, not just to smart cards. Devices with a small footprint aregenerally considered to be those that are restricted or limited inmemory or in computing power or speed. Such small footprint devices mayinclude boundary scan devices, field programmable devices, pagers andcellular phones among many others.

In general, small footprint devices are resource constrainedcomputational devices and systems where secure interoperation ofexecution contexts is a concern. Such small devices impose constraintson the implementation of security measures because of their limitedresources. Because of resource constraints, in a virtual machineimplementation, a single virtual or physical machine must be used asopposed to multiple virtual machines.

The invention may also be applied to devices with larger footprintswhere the characteristics of the invention may prove beneficial. Forexample, the invention may prove advantageous when using servlets ifthere is object sharing between them. Even some desktop systems mayprofitably utilize the techniques of the invention.

While the Java™ language and platform are suitable for the invention,any language or platform having certain characteristics would be wellsuited for implementing the invention. These characteristics includetype safety, pointer safety, object-oriented, dynamically linked, andvirtual-machine based. Not all of these characteristics need to bepresent in a particular implementation. In some embodiments, languagesor platforms lacking one or more of these characteristics may beutilized. A “virtual machine” could be implemented either in bits(virtual machine) or in silicon (real/physical machines).

Although the invention has been illustrated showing object by objectsecurity, other approaches, such as class by class security could beutilized.

Although the present invention has been described and illustrated indetail, it is clearly understood that the same is by way of illustrationand example only and is not to be taken by way of limitation, the spiritand scope of the present invention being limited only by the terms ofthe appended claims and their equivalents.

1. A small footprint device comprising: at least one processing element,on said small footprint device, configured to execute groups of one ormore program modules in separate contexts, wherein said separatecontexts are included in a runtime environment on said small footprintdevice, and further wherein said runtime environment includes anoperating system where said separate contexts are removed from and oversaid operating system on said small footprint device, wherein said oneor more program modules comprising zero or more sets of executableinstructions and zero or more sets of data definitions, said zero ormore sets of executable instructions and said zero or more datadefinitions grouped as object definitions, and each context comprising aprotected object instance space such that at least one of said objectdefinitions is instantiated in association with a particular context; amemory, on the small footprint device, comprising instances of objects;a context barrier, in said runtime environment and removed from and oversaid operating system, for separating and isolating said contexts, saidcontext barrier configured for controlling execution of at least oneinstruction of one of said zero or more sets of instructions comprisedby a program module based at least in part on whether said at least oneinstruction is executed for an object instance associated with a firstone of said separate contexts and whether said at least one instructionis requesting access to an instance of an object definition associatedwith a second one of said separate contexts, said context barrierfurther configured to prevent said access if said access is unauthorizedand enable said access if said access is authorized; and an entry pointobject, in said runtime environment and removed from and over saidoperating system, for permitting one program module, in one of saidseparate contexts, to directly access information from another programmodule, in another of said separate contexts, across said contextbarrier.
 2. The small footprint device of claim 1 in which said contextbarrier allocates separate name spaces for each program module.
 3. Thesmall footprint device of claim 1 in which at least two program modulescan access said entry point object even though they are located indifferent respective name spaces.
 4. The small footprint device of claim1 in which said context barrier allocates separate memory spaces foreach program module.
 5. The small footprint device of claim 4 in whichat least two program modules can access said entry point object eventhough they are located in different respective memory spaces.
 6. Thesmall footprint device of claim 1 in which said context barrier enforcessecurity checks on at least one of a principal, an object, and anaction.
 7. The small footprint device of claim 6 in which at least onesecurity check is based on partial name agreement between a principal,and an object.
 8. The small footprint device of claim 7 in which atleast one program can access said entry point object without said atleast one security check.
 9. The small footprint device of claim 6 inwhich at least one security check is based on memory space agreementbetween a principal and an object.
 10. The small footprint device ofclaim 9 in which at least one program can access said entry point objectwithout said at least one security check.
 11. The small footprint deviceof claim 1 wherein an object instance is associated with a context byrecording the name of said context in a header of said object instance,information in said header inaccessible to said one or more programmodules.
 12. The small footprint device of claim 1 wherein said memorycomprises object header data, said object header data comprisinginformation associated with at least one of said instances of objects;and said controlling execution is based at least in part on said objectheader data.
 13. The small footprint device of claim 1 wherein saidmemory is partitioned into a plurality of memory spaces with instancesof objects allocated for storage in one of said plurality of storagespaces; and said controlling execution is based at least in part ondetermining the storage space allocated to an executing object instanceand an accessed object instance.
 14. A method of operating a smallfootprint device that includes a processing machine, wherein programmodules are executed on the processing machine, the method comprising:separating contexts, on said small footprint device, using a contextbarrier, said context barrier configured for controlling execution of atleast one instruction of one of zero or more sets of instructionscomprised by a program module based at least in part on whether said atleast one instruction is executed for an object instance associated witha first one of said separate contexts and whether said at least oneinstruction is requesting access to an instance of an object definitionassociated with a second one of said separate contexts, wherein saidseparate contexts and said context barrier are included in a runtimeenvironment on said small footprint device and further wherein saidruntime environment includes an operating system where said separatecontexts and said context barrier are removed from and over saidoperating system, said separating further comprising: preventing saidaccess if said access is unauthorized; and enabling said access if saidaccess is authorized; executing groups of one or more program modules inseparate contexts, said one or more program modules comprising zero ormore sets of executable instructions and zero or more sets of datadefinitions, said zero or more sets of executable instructions and saidzero or more data definitions grouped as object definitions, eachcontext comprising a protected object instance space such that at leastone of said object definitions is instantiated in association with aparticular context; and permitting direct access to information from oneprogram module, in one of said separate contexts, by another programmodule, in another of said separate contexts, across said contextbarrier using an entry point object wherein said entry point object isin said runtime environment and is removed from and over said operatingsystem.
 15. The method of claim 14 wherein an object instance isassociated with a context by recording the name of said context in aheader of said object instance, information in said header inaccessibleto said one or more program modules.
 16. The method of claim 14 whereinsaid controlling execution is based at least in part on object headerdata comprising information associated with at least one of saidinstances of objects.
 17. The method of claim 14 wherein a memory ofsaid small footprint device is partitioned into a plurality of memoryspaces with instances of objects allocated for storage in one of saidplurality of storage spaces; and said controlling execution is based atleast in part on determining the storage space allocated to an executingobject instance and an accessed object instance.
 18. A method ofpermitting access to information on a small footprint device from afirst program module to a second program module separated by a contextbarrier, said small footprint device comprising: at least one processingelement, on the small footprint device, configured to execute groups ofone or more program modules in separate contexts, said one or moreprogram modules comprising zero or more sets of executable instructionsand zero or more sets of data definitions, said zero or more sets ofexecutable instructions and said zero or more data definitions groupedas object definitions, each context comprising a protected objectinstance space such that at least one of said object definitions isinstantiated in association with a particular context wherein saidseparate contexts are included in a runtime environment on the smallfootprint device and further wherein said runtime environment includesan operating system where said separate contexts are removed from andover said operating system; a memory, on said small footprint device,comprising instances of objects; and a context barrier, in said runtimeenvironment and removed from and over said operating system, forseparating and isolating said contexts, said context barrier configuredfor controlling execution of at least one instruction of one of saidzero or more sets of instructions comprised by a program module based atleast in part on whether said at least one instruction is executed foran object instance associated with a first one of said separate contextsand whether said at least one instruction is requesting access to aninstance of an object definition associated with a second one of saidseparate contexts, said context barrier further configured to preventsaid access if said access is unauthorized and enable said access ifsaid access is authorized, the method comprising: creating an entrypoint object, in said runtime environment and removed from and over saidoperating system, which may be accessed by at least two program modules;and using said entry point object to permit direct access to informationfrom one program module of said at least two program modules, in one ofsaid separate contexts, by an other program module of said at least twoprogram modules, in another of said separate contexts, across saidcontext barrier.
 19. The method of claim 18 wherein an object instanceis associated with a context by recording the name of said context in aheader of said object instance, information in said header inaccessibleto said one or more program modules.
 20. The method of claim 18 whereinsaid controlling execution is based at least in part on object headerdata comprising information associated with at least one of saidinstances of objects.
 21. The method of claim 18 wherein a memory ofsaid small footprint device is partitioned into a plurality of memoryspaces with instances of objects allocated for storage in one of saidplurality of storage spaces; and said controlling execution is based atleast in part on determining the storage space allocated to an executingobject instance and an accessed object instance.
 22. A computer programproduct, comprising: a memory storage medium; and a computer controllingelement comprising instructions for implementing a context barrier on asmall footprint device and for bypassing said context barrier using anentry point object to permit direct access to information from oneprogram module, in one context, by another program module, in adifferent separate context, wherein said context barrier and said entrypoint object are included in a runtime environment on the smallfootprint device and further wherein said runtime environment includesan operating system where said context barrier and said entry point areremoved from and over said operating system, said small footprint devicecomprising: at least one processing element, on said small footprintdevice, configured to execute groups of one or more program modules inseparate contexts, said one or more program modules comprising zero ormore sets of executable instructions and zero or more sets of datadefinitions, said zero or more sets of executable instructions and saidzero or more data definitions grouped as object definitions, eachcontext comprising a protected object instance space such that at leastone of said object definitions is instantiated in association with aparticular context where said separate contexts are included in saidruntime environment and are removed from and over said operating system;a memory, on the small footprint device, comprising instances ofobjects; and a context barrier for separating and isolating saidcontexts, said context barrier configured for controlling execution ofat least one instruction of one of said zero or more sets ofinstructions comprised by a program module based at least in part onwhether said at least one instruction is executed for an object instanceassociated with a first one of said separate contexts and whether saidat least one instruction is requesting access to an instance of anobject definition associated with a second one of said separatecontexts, said context barrier further configured to prevent said accessif said access is unauthorized and enable said access if said access isauthorized.
 23. A computer program product, comprising: a memory storagemedium; and a computer controlling element comprising instructions forseparating a plurality of programs on a small footprint device byrunning them in respective contexts and for permitting one program toaccess information from another program by bypassing a context barrierusing an entry point object to permit direct access to information fromone program, in one context, by another program in a different separatecontext, wherein said context barrier and said entry point object areincluded in a runtime environment on the small footprint device andfurther wherein said runtime environment includes an operating systemwhere said context barrier and said entry point are removed from andover said operating system, said small footprint device comprising: atleast one processing element, on said small footprint device, configuredto execute groups of one or more program modules in separate contexts,said one or more program modules comprising zero or more sets ofexecutable instructions and zero or more sets of data definitions, saidzero or more sets of executable instructions and said zero or more datadefinitions grouped as object definitions, each context comprising aprotected object instance space such that at least one of said objectdefinitions is instantiated in association with a particular contextwhere said separate contexts are included in said runtime environmentand are removed from and over said operating system; a memory, on thesmall footprint device, comprising instances of objects; and a contextbarrier for separating and isolating said contexts, said context barrierconfigured for controlling execution of at least one instruction of oneof said zero or more sets of instructions comprised by a program modulebased at least in part on whether said at least one instruction isexecuted for an object instance associated with a first one of saidseparate contexts and whether said at least one instruction isrequesting access to an instance of an object definition associated witha second one of said separate contexts, said context barrier furtherconfigured to prevent said access if said access is unauthorized andenable said access if said access is authorized.
 24. A method oftransmitting code over a network, comprising transmitting a block ofcode from a server, said block of code comprising instructions forimplementing an entry point object for bypassing a context barrier on asmall footprint device over a communications link, wherein said contextbarrier and said entry point object are included in a runtimeenvironment and further wherein said runtime environment includes anoperating system where said context barrier and said entry point areremoved from and over said operating system and further wherein saidentry point object permits direct access to information from one programmodule, in one context, by another program module in another differentcontext, said small footprint device comprising: at least one processingelement, on the small footprint device, configured to execute groups ofone or more program modules in separate contexts, said one or moreprogram modules comprising zero or more sets of executable instructionsand zero or more sets of data definitions, said zero or more sets ofexecutable instructions and said zero or more data definitions groupedas object definitions, each context comprising a protected objectinstance space such that at least one of said object definitions isinstantiated in association with a particular context where saidseparate contexts are included in said runtime environment, on the smallfootprint device, and are removed from and over said operating system; amemory, on the small footprint device, comprising instances of objects;and a context barrier for separating and isolating said contexts, saidcontext barrier configured for controlling execution of at least oneinstruction of one of said zero or more sets of instructions comprisedby a program module based at least in part on whether said at least oneinstruction is executed for an object instance associated with a firstone of said separate contexts and whether said at least one instructionis requesting access to an instance of an object definition associatedwith a second one of said separate contexts, said context barrierfurther configured to prevent said access if said access is unauthorizedand enable said access if said access is authorized.